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Un changement apporte a la redaction des revendications d'origine. sauf si ceiuki decoule des dispositions de I'artide R.612-36 
du code de la Propriete Intellectueiie, est signale par la mention «R.M.» {revendications modifees). 



DISPOSITIFS POUR MASQUER LES OPERATIONS EFFECTUEES DANS 
UNE CARTE A MICROPROCESSEUR 

invention concerne les cartes a microprocesseur 
et, dans de telles cartes, differents dispositifs pour 
masquer les operations effectuees dans la carte dans le 
but d*axneliorer la securite centre les intrusions 
5 f rauduleuses . 

Les cartes a puces se divisent en plusieurs 
categories , a savoir : 

- les cartes ^ simple memoir e, 

- les cartes a m^moire dite carte intelligente, et 
10 - les cartes a microprocesseur. 

Une carte a simple memoire permet d'effect-uer des 
operations de lecture et d^ecriture dans la zone de 
memoire morte electriquement effa9able de fagon libre. 
Une telle carte est d'un faible coOt mais elle ne 

15 presente pas une securite suffisante de sorte gu'elle 
est de moins en moins utilisee, 

Une carte Bl memoire Intel ligente ameliore notamment 
la securite des operations de lecture/ecriture en les 
autorisant seulement lorsque certaines conditions 

20 r^alis^es sous forme cablee sent remplies, 

Une carte de la troisieme categorie contient un 
microprocesseur capable d*executer des programmes 
enregistres dans une memoire et d'effectuer ainsi des 
calculs avec des donn^es secretes inaccessibles au 

25 monde exterieur a la carte. Ainsi, une cle enregistr^e 
dans la memoire peut servir a valider une transaction 
electronique telle qu ' un achat ou une ouverture de 
porte sans avoir a etre manipulee a 1' exterieur de la 
carte. 
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Malheureusement , certains microprocesseurs 

presentent des consommations de courant qui dependent 
des calculs effectues ^ 1' inter ieur de la carte. Ainsi, 
un calcul cryptographique comprenant une arborescence 
5 de calcul qui depend des chiffres de la cle utilis^e 
aura diff6rentes empreintes de consoinmation de courant 
selon la valeur de la cle utilisee* II en resulte qu'un 
fraudeur pourrait correler I'empreinte de consomma'tion 
de courant de la cle utilisee et ainsi remonter ^ la 
10 valeur de la cle. 

Pour empecher cette correlation, une contre-mesure 
courante consiste a programmer 1 'algorithme 
cryptographique d'une maniere telle que quelle que soit 
la valeur de la cl§, 1 ' algorithme passera toujours les 
15 memes stapes de calcul. 

De nombreux algorithmes dits "orientes octets" se 
pr^tent bien a ce mode de programme mais d'autres 
posent quelques problemes techniques qui ne sbnt 
surmontables qu*au prix de performances calculatoires 
20 inoins optimales. 

La presente invention a done pour but de mettre en 
oeuvre dans les cartes a microprocesseur des 
dispositifs pour masquer les operations effectu^es tout 
en permettant au programmeur le libre-choix des regies 
25 de programmation, qu'elles soient du type "orient^es 
octets" ou non. 

Ce but est atteint en modifiant ou brouillant la 
consommation de la carte de maniere que son empreinte 
soit independante des calculs effectues, 
30 Cette modification ou ce brouillage de I'empreinte 

peut ^tre obtenue en a j outant dans la carte un 
dispositif qui modifie la consommation de courant. 

Dans un premier exemple de realisation, ce 
dispositif consomme de la puissance electrique de 
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maniere irregulidre ou aleatoire qui s'ajoute ^ celle 
de la consommation normale. 

Dans un deuxieme exemple de realisation, ce 
dispositif realise une consoirwnation moyenne en 
5 realisant, par exemple, une integration du courant 
consomme, 

Dans un troisieme exemple de realisation, ce 
dispositif declenche le circuit de programmation ou 
d'effacement de la meraoire du microprocesseur qui 
10 consomme de la puissance de maniere chaotique, 
puissance qui masque la consommation due aux operations 
effectuees par le microprocesseur pendant la 
programmation ou I'effacement de la memoire. 

D'autres caracteristiques et avantages de la 
15 presente invention effectueront a la lecture de la 
description suivante d»exeinples particuliers de 
realisation, ladite description etant faite en relation 
avec les dessins joints dans lequels : 

la figure 1 est un schema fonctionnel d'un 
20 premier exemple de realisation de 1' invention, 

la figure 2 est un schema fonctionnel d'un 
deuxieme exemple de realisation de 1* invention, et 

la figure 3 est un schema fonctionnel d'un 
troisieme exemple de realisation de 1* invention. 
25 Sur les figures qui montrent chacune 

schematiquement differents moyens pour realiser 
1' invention, la puce electronique 10 contenant le 
microprocesseur de la carte comprend une unite centrale 
12 et au moins une memoire 14, par exemple du type 
30 connu sous I'acronyme anglo-saxon EEPROM FOR 
ELECTRICALLY ERASABLE PROGRAMMABLE READ ONLY MEMORY • 
Cette puce electronique presente plusieurs bornes 
d' entree et/ou de sortie 16^ a 16g dont 1 ' une d ' entre 
elles referencee 16^ est connectee a un circuit 
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d' alimentation electrique 18 de tension V^^^ tandis que 
celle r^f^rencee I65 est connectee a la masse, 

Le circuit d ' alimentation 18 alimente les 
diff brents elements de la puce electronique 10 avec un 
5 courant lo^t notamment, la memoire 14 et 1* unite 

centrale 12. Ce courant I^^t ^^^^^ ®" fonction des 
operations - effectuees par I'unit^ centrale et la 
memoire et refletent done les calculs cryptograph iques, 
ce qui pourrait permettre d'en determiner la cle. 
10 Pour que ce courant lo^t reflete plus les 

operations effectuees, 1 • invention propose de le 
modifier par un dispositif 20 ou 30, dispose dans la 
puce 10 et connecte, par example, sur la borne d' entree 
163^. 

15 L» invention propose de modifier le courant de deux 

manieres differentes. Une premiere en faisant en sorte 
que le dispositif 2 0 (figure 1) consomme du courant de 
maniere aleatoire ou tout au moins irr^guliere, 
consommation supplementaire aleatoire qui s'ajoutant a 

20 la consommation normale de courant lin rend aleatoire 

la valeur ^ouf 

La deuxieme maniere consiste a moyenner la valeur 

de l^Yx' ^® ^® permet pas de detecter les variations 

de Ij^j^ dues aux operations effectuees. 
25 Dans le premier cas, le dispositif 20 peut ^tre 

realise a I'aide de resistances 30, en fait des 

transistors, qui sent alimentees ou non selon les 

signaux aleatoires fournis par un generateur 28. Les 

courants circulant dans les resistances alimentees 
30 augmentent^ modif iant la valeur du courant total et 

masquant le courant du aux calculs cryptographiques* 

Dans le deuxieme cas, la moyenne du courant I^^^ est 

obtenue par un integrateur qui "lisse" les variations 

du courant I^-, de maniere a les ef facer. 



Selon 1 'invention, plusieurs dispositifs 20 ou 30, 
references 20^^ et 30^ peuvent §tre connectes a 
differents endroits de la puce electronique, par 
example, sur le conducteur d' alimentation de 1» unite 
5 centrale (reference 22), En' outre, ces dispositifs 20, 
20^, 30 el: 30^ peuvent ^tre connectes ou non selon que 
les operations doivent etre securisees ou non, les 
connexions s ' ef f ectueront sous la commande de signaux 
fournis par l'unit6 centrale 12 (traits discontinus) . 

10 L' invention propose une troisieme maniere de 

brouiller la valeur de 1^^^ effectuant des 

operations a securiser, telles que des calculs 
cryptographiques, pendant certaines phases des 
operations de progranimation ou d ' ef f acement de la 

15 m^moire 14, ces operations etant sur la commande de 
1" unite centrale 12. 

Cette troisieme maniere repose sur 1 ' utilisation 
d'une memoire 14 de type EEPROM qui a la capacite 
d » auto-ecr iture . 

20 Dans un mode habituel de f onctionnement , le 

microprocesseur met en marche un circuit de 
programmation 24 de la memoire 14 selon les stapes 
suivantes : 

1 - mise en marche de la pompe de charge, 

25 2 - presentation sur le bus de donnees de la 

derniere a ecrire, 

3 - presentation sur le bus d*adresse de 1 ' adresse 
ecriture, 

4 - mise en marche de la programmation, 
30 5 - attente d*un delai de programmation, 

6 - arret de la programmation, 

7 - arret de la pompe de charge. 

La programmation d'une cellule EEPKOM necessitant 
d'injecter des charges electriques dans la cellule 
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programm^e, les etapes 4, 5 et 6 s ' accoinpagnent d'une 
sur-consommation de courant d'apparence chaotique qui 
depend essentiellement de la valeur de V^^, de 
I'adresse, de la valeur prograxnmee et de la temperature 
du composant, 

Afin de masquer I'empreinte de consommation de 
courant d'un calcul cryptographique par exemple, 
1" invention propose d'utiliser la consommation 
chaotique des stapes 4, 5 et 6 en r^alisant le calcul 
cryptographique pendant 1 ' etape 5 d ' une duree de 
quelques millisecondes , 

Pour ce faire, le calcul cryptographique s'effectue 
selon les etapes suivantes : 

1 - mise en marche de la pompe de charge, 

2 - presentation sur le bus de donn^es d'une donnee 
al^atoire, 

3 - presentation sur le bus d'adresse d'une adresse 
ecriture, 

4 - mise en marche de la programmation, 
20 5 - effectuer le calcul cryptographique, 

6 - arr§t de la programmation, 

7 - arrit de la pompe a charge. 

Par ces stapes, I'empreinte de la consommation de 
courant due au calcul cryptographique de 1' etape 5 est 
25 masquee par I'ecriture de la donnee aleatoire dans une 
partie determinee 26 de la memoire EEPROM reservee a 
cette fonction. 

Au lieu d»un calcul cryptographique, 1 ' etape 5 peut 
consister en toute operation a securiser vis-a-vis de 
30 I'exterieur. 

Par ailleurs, au lieu de faire ces operations a 
securiser lors d • une ecriture dans la memoire 14, elles 
peuvent etre faites lors d'un effacement de la memoire 
14. 
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REVENDI CAT IONS 



1 - Dispositaf pour masquer les operations effectu^es pat tin 
composant destine S gtre integrfe a une catte 4 puce 
caracterise en ce (ju'll comprend au moihs un moyen (20, 30 is' 
26) pour modifier la cohsommation de courant dudit composant 
lors de la realisation desdites operations. 

2 - Dispositif selon la revendication 1, caracterise en ce crue 
le moyen pour siodifier la consoimnation de coutant comprend 
moins un circuit int^grateur (30) du courant du composant de 
maniere a moyenner les variations de ce courant au cours du 
temps • 

3 - Dispositif selon la revendication 1. caracterise en ce que 
le moyen pour modifier la consommation de coUrant comprend au 
moins un g^n^rateur (28) de signaux aleatoires et une batterie 
de resistances (20) dont 1 » alimetatation de chacune des 
resistances est coiniaand^e par les sl^naiax al6atoires. 

4 - Dispositif selon la revendication 1, caracterise en ou'il 
comprend une plurality de moyens (20, 20^, 30, 30i ) poar 
modifier la consommation de courant* 

5 ' Dispositif selon la revendication 1, caractgris6 en ce que 
le moyen pour modifier la consoimaation de courant du composatit 
dans le cas d'une memoire (14) du type EEPROM, consiste k 
effectuer simultaneliient : 

- une operation d'^criture ou d' ef f acement de la memoire (14) 
dxte de masquage, et 

- une operation dU microproces^eur . 

6 - Dispositif selon la revendication 5, caractefis^ en ce que, 
pour mettre en oeuvre une operation d'6criture de masciuage. la 
memoire (14) comprend une partie (26) d^di^e § 1' enre^iatrement 
d'une donnee aleatoire, 

7 - Dispositif selon I'une des revendications 1 a 5, 
caracterise en ce que la mise en route de chacun des icioyens de 
modification de la consoitanation de coUfaht est coimtiand^e par le 
microprocesaeur (12) de maniere A ette mis en route pour les 
seules operations a s^curiser. 

8 - Dispositif selon la revendication 5, caract^ris^ en ce que 
le microprocesseur (12) realise au moins le calcul 
cryptographique selon les stapes suivantes: 

" mise en marche de la pompe de charge, 

- presentation sur le bus de donnees d'une donnee aleatoire, 

- presentation sur le bus d^adresse d'Une adrefise ecriture, 

- mise en marche de la progratrunation^ 

- effectuer le calcul cryptographique, 

- arret de la pro^framrciation, 

- arr^t de la pompe de charge, 

de maniere L masquer 1 ' empreinte de la consommation de courant 
ocdasionnee par ledit calcul cryptographique. 
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9 - Procede pour masquer Us operations effectu6es par un 

- mise en marche de la pompe de change, 

- presentation sur le bus de donnees d^une donn^e aleatoire 

- presentation 5ur le bus d'adresse d^Une adres^e ecritSj!' 

- raise en marche de la progtaimation, ' 

- effectuer le calcul cryptogtaphique, 

- arr§t de la pro^rammation^ 

- artdt de la pompe de charge. 
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REVENDICATIONS 



1. Dispositif pour masquer les operations effectufees 
par un composant destine a 6tre int6gr6 a une carte ^ 
puce a microprocesseur, caract6ris6 en ce <ju'il 
comprend au moins un moyen (20 , 30 , 28 , 26) poxir 
5 modifier la consommation de courant dudit composant 
lors de la realisation desdites operations. 

2* Dispositif selon la revendication 1, caract6ris6 en 
ce que le moyen pour modif ier la consommation de 
10 courant comprend au moins un circuit Integra teur (30) 
du courant du composant de maniSre a moyenner les 
variations de ce courant au cours du temps. 

3. Dispositif selon la revendication 1, caract6ris6 en 
15 ce que le moyen pour modifier la consommation de 

courant comprend au moins un g6n6rateur (28) de signaux 
al6atoires et une batter ie de resistances (20) dont 
1' alimentation de chacune des resistances est commandSe 
par les signaux al6atoires. 

20 

4. Dispositif selon la revendication 1, caract6rise en 
ce qu'il comprend une pluralite de moyens (20, 20^^, 30, 
30^^) pour modifier la consommation de courant. 

25 5. Dispositif selon la revendication 1, caracterise en 
ce que le moyen pour modifier la consommation de 
courant du composant dans le cas d'une m^moire (14) du 
type EEPROM, associee a une unite centrale (12) du 
microprocesseur, comprend un moyen pour effectuer 

30 simultanement une operation d'ecriture ou d'effacement 
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d'une m^moire (14) dite de masquage et une operation du 
microprocesseur . 

6. Dispositif selon la revendication 5, caract§ris6 en 
5 ce que^ pour mettre en oeuvre tine operation d'Scriture 
ou d'ef facement dite de masquage, la mSmoire (14) 
comprend une partie (26) dSdi£e 4 I'enregistrement 
d'une donnSe al^atolre. 

10 7. Dispositif selon I'une des revendications 1 4 6, 
caract6ris6 en ce qu'il comprend, en outre, un moyen de 
Bise en route de chacun des inoyens de modification de 
la consommation de courant £i chaque operation ^ 
s^curiser • 

15 

8. Proc6d6 pour mettre en oeuvre le dispositif selon la 
revendication 5 ou 6, caract€ris6 en ce que, dans le 
cas d'un calcul cryptographique, il comprend les stapes 
suivantes consistant i : 

20 - mettre en marche la pompe de charge, 

- presenter une donn6e al6atoire sur le bus de donn^es, 

- presenter une adresse d'6criture sur le bus 
d'adresses, 

- mettre en marche la programmation, 
25 - effectuer le calcul cryptographique, 

- arr§ter la programmation, et 

- arr^ter la pompe de charge* 

9. Proc6d6 pour masquer les operations effectu^es par 
30 un composant, caract§ris6 en ce qu'il comporte les 

stapes suivantes ; 

- mise en marche de la pompe de charge, 

- presentation sur le bus de donn^es d'une donn^e 
al^atoire. 
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- presentation sur le bus d'adresses d'une adresse 
d'fecriture, 

- mise en marche de la progranmatlon, 

- realisation du calcul cryptographique, 
5 - arret de la programmation, et 

- arret de la pompe de charge. 
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Smart-Car d Based 

Aggess Conrm) .Syste m with imp rnved ^^r,^r\*y 

5 The present invention involves access control systems 

including an integrated circuit (IC) card, or "smart" card, for 
limiting access to information in signal processing applications 
Systems such as pay-TV systems include access control sub- 
systems that limit access to certain programs or channels Only 
1 0 users who are entitled (e.g., paid a fee) are permitted to view the 
programs. One approach to limiting access is to modify the signal 
by, for example, scrambUng or encrypting the signal. Scrambling 
typically involves modifying the form of the signal using methods 
such as removing synchronization pulses. Encryption involves 
modifying a data component included in the signal according to a 
particular cryptographic algorithm. Only individuals who are 
entitled to access are given the "key" needed to descramble or 
decrypt the signal. The terms scrambling and descrambling as 
used below are intended to encompass access control techniques 
in general, including cryptography and scrambling. 

Access control systems may include an integrated 
circuit (IC) card, or "smart" card, feature. A smart card is a plastic 
card the size of a credit card that has a signal processing IC 
embedded in the plastic. A smart card is inserted into a card 

2 5 reader that couples signals to and from the IC in the card. 

International Standards Organization (ISO) standard 7816 
establishes specifications for an IC card interface. In particular. 
ISO standard 7816-2 specifies that the electrical interface to the 
card will be via eight contacts positioned on the card surface as 

3 0 shown in Figure 2A. Six of the eight signals at the contact points 

are defined as VCC (supply voltage). RST (reset signal), CLK (clock 
signal), GND (ground), VPP (programming voltage for 
programming memory in the card IC), and I/O (serial data 
mput/output). Two contacts are reserved for future use. The 
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assignment of the signals to the smart card contacts is shown in 
Figure 2B. 

The IC in a smart card processes data such as security 
control information as part of an access control protocol. The IC 
5 includes a control microcomputer, such as the 6805 processor 

from Motorola Semiconductor, Austin, Texas, which includes ROM, 
EEPROM. and RAM memory. The processor performs various 
security control functions including entitlement management and 
generating the key for descrambling the scrambled data 
1 0 component of the signal. 

Entitlement management involves modifying 
information stored in the card that specifies the card owner's 
entitlements (i.e. programs and services that a user is entitled to 
access). The processor adds and deletes entitlements in response 

1 5 to entitlement information in entitlement management messages 

(EMM) that are included in the input signal. EMM data typically 
indicates entitlement to a particular service, e.g. all programming 
on a particular channel, or to a particular program offered by a 
service, e.g., one movie on a particular channel. Because EMM 

2 0 relates to relatively long term entitlement, EMM typically occurs 

infrequently in a signal. 

Once entitled to a service or program, descrambling of 
the service or program can occur only after generating a 
descrambling key. Key generation occurs in response to 

2 5 entitlement control messages (ECM) that are also included in the 

input signal. ECM provides initialization data for key generation 
routines that are executed by the processor. Each time a service 
provider changes the scrambling key, ECM data is included in the 
signal so that a system entitled to access can generate the 

3 0 corresponding new descrambling key. To aid in preventing 

unauthorized access to scrambled signals, the key is changed 
frequently, e.g., every two seconds. Thus, ECM data occurs 
frequently in the signal. 

EMM and ECM data is transferred to the smart card for 
3 5 processing via the serial I/O terminal of the ISO standard 7816 
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interface. The serial I/O terminal is also used to transfer the 
generated key from the card to a descrambler unit in the video 
signal processing channel. The descrambler descrambles the data 
component of the input signal, e.g. video and audio data, using the 
5 key to produce a descrambled, or "plaintext", output signal. 
Descrambling involves reversing the effects of the scrambling 
process, e.g., re-inserting sync pulses or decrypting data using the 
inverse of the encryption algorithm. The descrambled signal is 
processed further by the signal processing channel to produce 
1 0 video and audio signals suitable for coupling to output devices 
such as a kinescope and a loudspeaker, respectively. 

Including a descrambling function in the video signal 
processing channel involves adding descrambling hardware to the 
system. The hardware may be included in a consumer electronics 

1 5 (CE) device, such as a television receiver, or may be in a stand- 

alone decoder unit, such as a cable box. Including descrambling 
hardware in a CE device or separate decoder unit dedicates the 
device to a particular access control system. For example, the 
hardware may be appropriate for descrambling only a particular 

2 0 type of scrambling algorithm. If the service provider decides to 

change to a different access control system, e.g. due to security 
problems, replacing the descrambling hardware involves the 
expensive and difficult task of modifying CE devices and/or 
replacing decoder units. 

2 5 In addition, transferring data between a smart card 

and the system using the smart card provides an opportunity for 
a hacker to attack the security system. Because the security 
control IC is embedded in the smart card, a hacker cannot access 
the IC directly as part of an attempt to "hack", i.e. defeat, the 

3 0 security algorithm. Attempting to de-laminate the smart card to 

access the IC will destroy the IC. However, a hacker can monitor a 
transfer of data between a smart card and other parts of the 
system. By monitoring a data transfer, a hacker might intercept 
key data being transferred to an external descrambler. thereby 
3 5 compromising the access control system. Similarly, a hacker can 
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monitor a transfer of entitlement data to and from the smart card. 
By detecting changes between entitlement data being input to a 
smart card and entitlement information being output from a 
smart card, a hacker might obtain information regarding the 
5 access control algorithm that is being used in the smart card. 

The invention resides, in part, in recognition of the 
described problems and, in part, in providing a solution to the 
problems. In accordance with an aspect of the invention, a smart 
card processes first and second signal components of an input 
1 0 signal to produce corresponding first and second processed 

signals. The second processed signal is combined with the first 
signal component of the input signal to produce an output signal 
from the smart card. 

In accordance with another aspect of the invention, 

1 5 the first signal component of the input signal is combined with the 

second processed signal to produce a predetermined timing 
relationship between the first signal component and the second 
processed component in the output signal. 

In accordance with another aspect of the invention, 

2 0 the first signal component of the input signal is delayed before 

being combined with the second processed signal such that the 
output signal exhibits the predetermined timing relationship. 

In accordance with another aspect of the invention, 
the predetermined timing relationship is substantially the same as 

2 5 a timing relationship that exists between the first and second 

signal components of the input signal. 

In accordance with another aspect of the invention, 
the first signal component of the input signal is delayed through a 
first-in-first-out memory device included in the smart card prior 

3 0 to being combined with the second processed signal. 

In accordance with another aspect of the invention, 
the first and second signal components of the input signal include 
scrambled information. The first and second processed signals 
include descrambled information corresponding to the scrambled 
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information in the first and second signal components of the input 
signal. 

In accordance with another aspect of the invention, 
the first signal component of the input signal comprises scrambled 
5 entitlement data for a pay-for-access-service, such as a pay TV 
channel, and the second signal component of the input signal 
comprises scrambled data provided by the pay-for-access service 
provider, such as scrambled video or audio data. 

The invention may be better understood by referring 
10 to the accompanying drawing in which: 

Figure 1 shows, in block diagram form, a signal 
processing system including a smart card that provides both 
entitlement processing and descrambling; 

Figure 2A shows the location of signal contacts on the 

1 5 surface of a smart card in accordance with ISO standard 7816-2; 

Figure 2B shows the assignment of smart card 
interface signals to signal contacts shown in Figure 2A in 
accordance with ISO standard 7816-2; 

Figure 3 shows a format that data included in a signal 

2 0 processed by the system shown in Figure 1 may exhibit; 

Figure 4 shows, in block diagram form, an embodiment 
of signal processing functions included in a smart card suitable for 
use with the system shown in Figure 1; 

Figures 5 through 8 illustrate signal routing through 

2 5 the smart card shown in Figure 4 during various modes of 

operation of the system shown in Figure 1; 

An embodiment of a smart card access control system 
including the invention will be described in reference to an 
exemplary video signal processing system that is shown in block 

3 0 diagram form in Figure 1, The system shown in Figure 1 includes 

signal processing functions that may be found in various signal 
processing systems. A specific example is the DSS® direct- 
broadcast satellite television system developed by Thomson 
Consumer Electronics, Inc. 
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For a pay-TV service that involves a smart card based 
access control system, a user wishing to purchase the service 
contacts the service provider, pays a service-access fee and 
receives a smart card. A card is issued to a user with initial 
5 entitlement information stored in the card's EEPROM. Entitlement 
information may include data identifying the user and data 
specifying the scope of initial access entitlement (e.g., duration 
and/or specific programs the user has paid for). In addition, 
application-specific key generation software is stored in the card 
10 memory. 

Entitlement information stored in the card can be 
modified by the service provider from a remote location using 
entitlement management messages (EMM) and entitlement control 
messages (ECM) that are inserted into portions of the signal. EMM 

15 includes information indicating subscription (long term access) 
and pay-per-view (single program access) services that the user 
has paid for. EMM may be directed to a particular smart card by 
including identification information in EMM data that corresponds 
to the identification information stored in the particular smart 

2 0 card. ECM includes data such as initialization data needed to 
generate descrambling keys. Thus, a signal for a particular 
program includes both a scrambled data component comprising 
video and audio data, and a control information component 
comprising EMM and ECM. 

2 5 When the user wishes to access a pay-TV service, 

smart card 180 in Figure 1 is inserted into card reader 190. Card 
reader 190 couples signals between smart card 180 and a signal 
processing channel comprising units 100 through 170 in Figure 1. 
More specifically, card reader 190 connects to eight terminals that 

3 0 are located on the surface of smart card 180 as specified in ISO 

standard 7816-2 (see Figure 2). The connection established by 
card reader 190 creates interface 187 between smart card 180 
and the signal processing channel. In accordance with an aspect 
of the invention described further below, the eight signals in 
3 5 interface 187 include signals 184, a high speed data input/output 
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(I/O) port for smart card 180. and signals 182, a subset of the ISO 
standard IC card interface signals. 

The desired program or service is selected by tuning 
the receiver to the appropriate channel using tuner 100. Tuner 
5 100 is controlled by microcontroller 160 in response to user 
inputs. For example, microcontroller 160 may receive channel 
selection signals from a remote control (not shown in Figure 1) 
activated by a user. In response to the channel selection signals, 
microcontroller 160 generates control signals causing tuner 100 to 
1 0 tune the selected channel. 

The output of tuner 100 is coupled to forward error 
corrector (FEC) 110. FEC 110 monitors error control information, 
such as parity bits in the tuned signal, to detect errors and, 
depending on the error control protocol, to correct errors. 
15 Microcontroller 160 is coupled to FEC 110 to monitor the 

occurrence of errors in the signal and control the processing of 
errors. FEC 110 also performs an analog-to-digital conversion 
(ADC) function to convert the analog output of tuner 100 to a 
digital signal at the output of FEC 110. 
2 0 Transport unit 120 processes the signal from FEC 110 

to detect and separate various types of data in the tuned signal. 
The data in the signal may be arranged in various formats. Figure 
3 shows an exemplary data format that serves as the basis for the 
following description. The signal depicted in Figure 3 comprises a 

2 5 stream of data organized in packets of data bytes, i.e. "packetizcd" 

data. Each packet is associated with a particular type, or sub- 
stream, of information in the tuned channel's data stream. For 
example, the signal includes packets of program-guide 
information, control information (e.g., ECM or EMM), video 

3 0 information, and audio information. The sub-stream that a 

particular packet is associated with is defined by data included in 
a header portion of each packet. A payload portion of each packet 
includes the packet data. The exemplary data format shown in 
Figure 3 includes two bytes (16 bits) of data in the header and 
3 5 186 bytes of data in the payload. 
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The first twelve bits of the header in each packet are 
program identification (PID) data bits. PID data identifies the data 
substream that the payload data is associated with. An example 
of the information provided by PID data follows: 

5 

TABLE 1 

PIP Value Pavload content^ 



1 program-guide information 

1 0 4 EMM 

1 0 video data for channel 101 

1 1 audio data for channel 101, 



Other PID values identify video and audio data for other channels. 

1 5 As part of the tuning process, microcontroller 160 

refers to a PID "map" stored in the microcontroller's memory to 
determine the PID values associated with the tuned channel. The 
appropriate PID values are loaded into PID registers in transport 
unit 120. For example, when channel 101 is selected, 

2 0 microcontroller 160 accesses the stored PID map, determines that 

video data and audio data for channel 101 are associated with PID 
values of 10 and 11, respectively, and loads the values 10 and 11 
into respective video and audio PID registers in transport unit 
120. The PID data in incoming packets is compared to the PID 
2 5 values stored in the PID registers to determine the content of the 
payload of each packet. Microcontroller 160 can update the PID 
map data in response to PID-to-channel correspondence 
information in "program guide'' packets (PID value of 1). 
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The last four bits of the header portion of each packet 
further define the payload contents as follows: 

TABLE 2 

5 

Hgatjgr bit DesignatioTI Function 

indicates if payload is ECM 
reserved 

indicates if payload is 
encrypted 

indicates whether payload key 
is key A or key B. 

The ECM flag being active, e.g., at logic 1, indicates that the 
payload includes ECM data such as initialization data for key 
generaUon. The ENC flag being active indicates that the payload is 
encrypted and, therefore, must be descrambled. The key flag 
determines which one of two keys, key A or key B, should be used 
for descrambling the payload (e.g., logic 0 indicates key A, logic 1 
indicates key B). Use of the key flag is described below in regard 
to Figure 7. 

Transport unit 120 in Figure 1 extracts and processes 
the header data in response to a packet clock signal shown in 
Figure 3. The packet clock signal is generated and synchronized to 
the data stream by FEC 110. Each transition of the packet clock 
signal indicates the beginning of a packet. Transport unit 120 
processes the 16 bits of header data following each packet clock 
signal transition to determine the destination for the packet 
payload. For example, transport unit 120 transfers payloads 
containing EMM (PID value of 4) and ECM to security controller 
183 in smart card 180 via microcontroller 160. Video and audio 
data are directed to demux/descrambler 130 for descrambling 
and demultiplexing into video and audio signals. Program guide 



1 3 ECM flag 
1 4 

10 15 ENC flag 

1 6 Key flag 
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1 0 

data (PID value of 1) is directed to microcontroller 160 for PID 
map updating. 

Security controller 183 processes EMM and ECM data 
to provide access control functions including entitlement 
management and key generation. Security controller 183 is 
included in integrated circuit (IC) 181 and comprises a 
microprocessor such as the 6805 processor from Motorola. 
Entitlement management involves processing EMM data to 
determine how and when entitlement information stored in IC 
181 is to be updated, i.e. adding and deleting entitlements. ECM 
data provides initial values needed for security controller 183 to 
generate descrambling keys. After being generated by security 
controller 183, a key is transferred via microcontroller 160 to 
descrambler 130 where the scrambled data component of the 
input signal, e.g., the video and audio program data, from the 
tuned channel is descrambled. In accordance with principles of 
the invention that are described further below, the descrambling 
function may also be provided by descrambler 185 included in IC 
181. 

Descrambled video and audio data is decompressed in 
video decompressor 140 and audio decompressor 145, 
respectively. Program data is compressed at the program source 
using any one of a variety of known data compression algorithms. 
Decompressors 140 and 145 reverse the effects of the 

2 5 compression algorithm. 

The outputs of video and audio decompressors 140 
and 145 are coupled to respective video and audio signal 
processors 150 and 155. Audio signal processor 155 may include 
functions such as stereo signal generation and digital to analog 

3 0 conversion for converting the digital output signal from 

decompressor 145 to an analog audio output signal AOUT from 
processor 155 that can be coupled to a loudspeaker (not shown in 
Figure 1). Video signal processor 150 also includes digital to 
analog conversion capability to convert the digital output of 
3 5 decompressor 140 to an analog video output signal VOUT that is 
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suitable for display on a display device such as a kinescope. 
Video processor 150 also provides signal switching necessary to 
include an on-screen display (OSD) signal, produced by OSD 
processor 170, in signal VOUT. The OSD signal represents, for 
5 example, graphics information such as a channel number display 
that is to be included in the displayed image. Video switches in 
video processor 150 multiplex the OSD signal into signal VOUT as 
required to produce the desired display. The operation of OSD 
processor 170 is controlled by microcontroller 160. 

Returning to the access control features of the system 
shown in Figure 1, the features and function of smart card 180 
may be better understood by referring to the block diagram of 
smart card IC 181 that is shown in Figure 4. Reference numerals 
in Figure 4 that are the same as in Figure 1 indicate the same or 
15 similar features. In Figure 4, integrated circuit (IC) 181 includes 
security controller 183 comprising a central processing unit (CPU) 
421. RAM 426, ROM 425, EEPROM 423 and serial I/O unit 424. 
CPU 421 is a processor such as the 6805 from Motorola. Key 
generation and entitlement management software is stored in 
2 0 ROM 425 and EEPROM 423. 

Data specifying current entitlements is also stored in 
EEPROM 423 and is modified in response to information in 
entitlement management messages (EMM) in the received signal. 
When an EMM packet is detected by transport processor 120 in 

2 5 Figure 1 (packet PID value of 4), microcontroller 160 in Figure 1 

transfers the packet payload to security controller 183 via serial 
I/O unit 424. CPU 421 transfers the EMM data in the payload to 
RAM 426. CPU 421 processes the EMM data and modifies 
entitlement data stored in EEPROM 423 accordingly. 

3 0 Packet payloads that include entitlement control 

messages (ECM), as indicated by the ECM flag in the packet header 
being active, are transferred from transport unit 120 to security 
controller 183 via microcontroller 160 and serial I/O unit 424. 
Any type of packet, e.g., EMM, video, or audio, may include ECM. 
3 5 ECM data is used for generating the descrambling key for a 
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particular type of data. For example, ECM data in an EMM packet 
is used to generate an EMM descrambling key. When transferred 
to security controller 183, ECM data is stored in RAM 426 until 
processed by CPU 421. Key generation software stored in EEPROM 
5 423 and ROM 425 is executed by CPU 421 using the ECM data in 
RAM 426 to generate a particular key. The ECM data provides 
information such as initial values required by the key generation 
algorithms. The resulting key is stored in RAM 426 until 
transferred by CPU 421 to descrambler 130 via serial I/O unit 

1 0 324 and microcontroller 160. 

EMM and ECM data may be encrypted as indicated by 
encryption flag ENC in the packet header being active. Encrypted 
data is transferred from transport unit 120 to descrambler 130 
for descrambling before being transferred to security controller 
15 183 for entitlement management or key generation processing. 

The features and operation of IC 181 that have been 
described are typical of known smart card systems. As stated 
above, however, using a descrambling unit external to a smart 
card, such as descrambler 130, substantially degrades system 

2 0 security and makes changing descrambling hardware undesirable. 

The arrangement shown in Figures 1 and 4 includes features that 
significantly improve security in comparison to known smart card 
systems. In particular, IC 181 of smart card 180 includes 
descrambler unit 185 and high data rate synchronous interface 

2 5 184 comprising separate serial data in and serial data out lines. 

The combination of descrambler 185 and interface 184 makes it 
possible for all access control processing to occur within smart 
card 180. 

In Figure 1, card reader 190 couples both ISO standard 

3 0 interface signals 165 from microcontroller 160 and high speed 

interface signals 125 from transport unit 120 to smart card 180 
via portions of smart card interface 187 that are labeled 182 and 
184, respectively. Figure 4 siiows the signals included in interface 
187. ISO standard signals 182 comprise power, ground, reset, and 
3 5 serial I/O in Figure 4 (correspond to VCC, GND. RST, and I/O in 
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1 3 

Figure 2B). High speed interface signals 184 comprise high speed 
data-in and data-out signals, a packet clock signal, and a high 
frequency (e.g. 50 MHz) clock signal. ISO standard signal VPP 
(programming voltage) is replaced by the packet clock signal 
allowing interface 187, including both high and low speed 
interfaces, to be implemented using the ISO standard 
configuration of eight contacts that is shown in Figure 2A. 

Eliminating signal VPP does not preclude the system 
shown in Figure 1 from operating with existing ISO standard 
smart cards that do not include descrambler 185 and high speed 
data interface 184. Existing smart cards typically include EEPROM 
circuits that do not require a separate programming voltage. A 
"charge pump" feature generates the required programming 
voltage from the card supply voltage when programming is 
1 5 required. Thus, the VPP signal as specified by the ISO standard is 
an "unused" terminal for most existing ISO standard smart cards. 
Use of the system with existing smart cards does require 
modifying the operation of the system such that high speed 
interface 184 and descrambler 185 are not used. The required 
modification can be achieved by changing only the control 
software for controller 160. 

Descrambler 185 operates at a high data rate in 
response to the high frequency clock signal while security 
controller 183 requires a lower frequency clock signal. Divider 
422 in IC 181 divides the 50 MHz clock signal to produce a lower 
frequency clock signal suitable for security controller 183. Thus, 
the single high frequency clock signal serves as a timing signal for 
controlhng the operation of both security controller 183 and 
descrambler 185. Using divider 422 avoids dedicating two of the 
3 0 eight smart card interface signals to separate high and low 
frequency clock signals. 

Descrambler 185 includes transport decode unit 472, 
PID & ECM filter unit 474 and EMM address filter unit 476 for 
providing functions similar to the above-described functions of 
3 5 transport unit 120 in Figure 1. The high speed data-in and data- 
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out signals of interface 187 couple the high speed data stream of 
the input signal between transport unit 120 and descrambler 185. 
Including functions of transport unit 120 within smart card 180 
enables smart card 180 to process incoming data packets at the 
5 high data rate of the input signal. Both the data-in and packet 
clock signals are coupled to unit 472. 

In response to each transition in the packet clock 
signal, unit 472 processes the 16 bits of header data. The first 12 
bits of the header are program identification (PID) data that are 
1 0 directed to PID &. ECM filter unit 474. Unit 474 compares the 

packet's PID data to PID values stored in unit 474 for each type of 
packet included in the tuned channel. Similarly to the above- 
described operation of transport unit 120 (see Table 1 above and 
associated description), PID comparison in unit 474 determines 

1 5 what type of data the payload contains, e.g., program guide, EMM, 

video, or audio. PID values identifying packet types in the 
currently tuned signal are stored in registers in unit 474. The 
registers are loaded as part of the above-described tuning process 
for the system in Figure 1. More specifically, microcontroller 160 
20 accesses a stored PID "map" as described above and transfers PID 
values associated with the currently tuned channel to registers in 
unit 474 via signals 182 and security controller 183 in smart card 
180. Transfer of data between security controller 183 and 
functions of descrambler 185, such as unit 474. occurs via a data 

2 5 bus internal to IC 181 that is not shown in Figure 4. 

How the payload data is processed by smart card 180 
is determined both by the results of PID comparison in unit 474 
and by the contents of bits 13 to 16 of the packet header 
extracted by unit 472. Using the example above relating to 

3 0 channel 101 (see Table 1), PID data identifies: program guide data 

(PID = 1) that microcontroller 160 processes to update the PID 
map, EMM data (PID = 4) that security controller 183 processes to 
modify entitlements, video data (PID = 10) and audio data (PID = 
11). Bits 13 through 16 of the header control security-related 
3 5 operations (see Table 2 above and the associated description) in 
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smart card 180, If bit 13 (ECM flag) is active, the payload 
includes ECM data that requires key generation processing by 
security controller 183. If bit 15 (ENC flag) is active, the payload 
is encrypted and is descrambled in descrambling unit 478 within 
5 descrambler 185, Bit 16 determines whether key A or key B will 
be used in unit 478 for descrambling 

The encryption status bit ENC determines how payload 
data will be processed by descrambling unit 478. Payload data 
that is not encrypted passes unchanged from the high speed data- 
10 in terminal of smart card 180 through descrambling unit 478 to 
the high speed data-out terminal. Encrypted data is descrambled 
at the data rate by unit 478. Descrambled video and audio data is 
passed to the high speed data-out terminal of smart card 180. In 
each descrambled audio or video packet, the ENC bit in the packet 

1 5 header is set to logic 0 indicating that the packet is "clear", i.e. 

descrambled. 

To ensure that unauthorized users do not access 
descrambled entitlement or key related data, descrambled EMM 
or ECM data is not passed out of smart card 180 via the high 

2 0 speed data out terminal. One approach is for the smart card to 

simply remove the EMM or ECM data component from the data 
stream at the output of the smart card. However, by monitoring 
changes that occur to data in the data stream between the data 
input and output of smart card 180, a hacker could obtain useful 

2 5 information regarding the processing that is occurring in smart 

card 180. For example, a hacker could assume that information 
removed from the data stream by the smart card pertains to the 
service associated with the smart card. 

This problem is overcome by passing the original 

3 0 scrambled EMM or ECM control information component, with the 

ENC bit set to logic 1, through smart card 180 from the high speed 
data-in terminal to the high speed data-out terminal. More 
specifically, a first signal component of the input signal, such as 
scrambled ECM or EMM control information, is processed, e.g., 
3 5 descrambled, by descrambler 478 to produce a first processed 
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signal such as descrambled data needed for key generation. 
Information such as key information in the first processed signal 
is used by descrambler 478 to process a second component of the 
input signal to produce a second processed signal representing, for 
example, descrambled video or audio data. The first signal 
component of the input signal is combined with the second 
processed signal to produce the output data stream from smart 
card 180. Thus, for example, scrambled entitlement information 
in the input signal may be descrambled and used by smart card 
180. but corresponding data at the output is unchanged, thereby 
reducing the information that can be obtained by a hacker 
monitoring the data stream. 

To further obscure the nature of processing occurring 
in smart card 180, the original component of the input signal is 
1 5 delayed before being re-inserted into the output data stream. The 
delay ensures that the timing relationship between scrambled 
control information, such as EMM and/or ECM. and descrambled 
data, such as video and/or audio data, in the data output signal of 
smart card 180 is substantially the same as the timing 
20 relationship between scrambled control information and 

scrambled data in the data input signal of smart card 180. As a 
result, it is more difficult for a hacker to determine characteristics 
of smart card 180 such as the internal descrambling delay by 
monitoring the data stream. 

2 5 Original scrambled data is delayed and re-inserted in 

the data stream via first-in-first-out (FIFO) memory 477 and 
router 479 in Figure 4. The input data signal to FIFO 477 is the 
signal at the data input of descrambler 478. The delay through 
FIFO 477 can be adjusted by control processor 183 to provide a 

3 0 delay through FIFO 477 that corresponds to the particular 

descrambling algorithm being executed in descrambler 478. For 
example, the delay through FIFO 477 can be increased or 
decreased by storing more or less data, respectively, in the FIFO 
before beginning to read data from the FIFO. Router 479 
3 5 combines delayed data from FIFO 477 with descrambled data 
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from descrambler 478 under control of control processor 183 to 
produce the data output signal from smart card 180. Router 479 
may comprise a multiplexer for selectively coupling either the 
FIFO output or the descrambler output to the data output of smart 
5 card 180 in response to a control signal provided by control 
processor 183. 

EMM and ECM data that is descrambied in 
descrambling unit 478 is stored temporarily in RAM 426 in 
security controller 183 until processed by security controller 183 

10 for entitlement management and key generation. Transport unit 
120 in Figure 1 receives the data (either unchanged or 
descrambied) from the high speed data-out terminal of smart card 
180. The PID value of each packet is checked and the payload is 
transferred to the appropriate function in Figure 1 for further 

15 processing (e.g., microcontroller 160 or decompressors 140 and 
145). 

The operation of smart card 180 is controlled by 
commands from microcontroller 160 in Figure 1 that are 
communicated to smart card 180 via the ISO standard serial 
2 0 interface. In effect, microcontroller 160 is the master processor 
and security controller 183 is the slave processor. For example, 
microcontroller 160 transfers PID information to smart card 180 
and directs the card to descramble the data in the corresponding 
data streams. Security controller 183 responds by checking 

2 5 entitlements and configuring smart card 180 for the appropriate 

type of data processing such as entitlement processing, key 
generation or descrambling. In addition, microcontroller 160 
requests status information such as whether descrambling is in 
progress. Commands are communicated to security controller 183 

3 0 in smart card 180 via the serial I/O terminal. Any response 

required by the command is returned to microcontroller 160 via 
the serial I/O terminal. Thus, the serial I/O signal serves as a 
control signal between the system and smart card 180 while the 
high-speed data interface provides high-speed input and output 
3 5 data signals between the card and the system. 
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Serial communications between microcontroller 160 
and smart card 180 occur according to a protocol provided for in 
ISO standard 7816-3. A smart card notifies the system of the 
particular protocol that will be used by sending a protocol type 
5 number T to the system. More specifically, when a card is 

inserted into the card reader, the card reader applies power to the 
card and resets the card by activating the reset signal. The card 
responds to the reset signal with an "answer to reset" data 
sequence specified in ISO standard 7816-3 §6. The answer to 
I O reset includes an interface byte TDi. The four least significant of 
byte TDi define the protocol type number T (see ISO standard 
7816-3 §6.1.4.3). 

The protocol type for the system shown in Figure 1 is 
type T=5. A type 5 protocol is classified as "reserved", i.e. 

1 5 currently undefined, in the ISO standard. For the system in Figure 

1. protocol type 5 is identical to protocol type 0 (an asynchronous 
half-duplex protocol defined in ISO 7816-3 §8) except for the 
manner in which the baud rate for serial I/O is determined. Serial 
I/O at the card interface occurs at a rate determined according to 

2 0 Table 6 in ISO standard 7816-3. The baud rate calculation is 

based on the rate at which security controller 183 is clocked. For 
existing smart cards, the clock frequency for security controller 
183 is equal to the clock frequency fs at the card's clock pin. As 
shown in Figure 4, smart card 180 includes divider 422 for 

2 5 dividing the rate of the high speed input clock Fin by a factor N, 

i.e. Fin/N, to establish the clock rate for security controller 183. 
Thus, for a type 5 protocol. Table 6 of ISO standard 7816-3 is 
modified by defining fs = Fin/N. 

As in the case of a type 0 protocol, all commands for a 

3 0 type 5 protocol are initiated by microcontroller 160. A command 

begins with a five byte header including a one-byte instruction 
class designation (CLA), a one-byte instruction (INS), a two-byte 
parameter (P1,P2) such as an address, and a one-byte number 
(P3) defining the number of data bytes that are part of the 
3 5 command and follow the header. For the system in Figure 1, 
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parameter P1,P2 is not needed and, therefore, these bytes are 
"don't cares". Thus, commands take the form: 

^ CLA I INS I - I - I P3 I data (P3 bytes). 

Commands recognized by smart card 160 include a 
status command and a PID transfer command. Smart card 160 
responds to a status command from microcontroller 160 by 
providing the processing status of the card, e.g. whether the card 
10 has completed key generation or whether the card is 
descrambling data. Using a PID transfer command, 
microcontroller 160 transfers PID numbers associated with the 
tuned channel. Other commands such as commands for 
transferring EMM and ECM data, key related commands, and 
"purchase offer" commands are possible and will be explained 
below. 

The operation of smart card 180, and in particular 
descrambler 185. will now be described in more detail in 
reference to Figures 5 through 8. When a new channel is tuned 
20 microcontroller 160 transfers PID values for the new channel 
from the PID map to smart card 180 as shown in Figure 5. The 
PID data transfer occurs using a PID transfer command including 
N PID values, where N is specified in byte P3 of the command 
header. The command and PID values are communicated to the 

2 5 card via the serial data terminal of smart card 180 and serial 

input/output unit 424. CPU 421 receives the PID data and directs 
the data to the appropriate PID register in registers 474 in 
descrambler 185. 

Before a signal can be descrambled, a user must be 

3 0 entitled to access and the correct key must be loaded into 

descrambler 185. After transfer of the PID data to smart card 
180, security controller 183 compares the PID values to 
entitlement data stored in EEPROM 423 to see if the user is 
entitled to access the tuned channel. Assuming the user is 
3 5 entitled, the next step is key generation. Key generation involves 
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processing ECM data. Thus, ECM must be received and processed 
to produce the key before audio and video data can be 
descrambled. ECM data is encrypted to reduce the likelihood of 
unauthorized key generation. A card is issued with a key for 
5 descrambling ECM stored in the card in EEPROM 423. As 

illustrated in Figure 6, the ECM key is transferred by CPU 421 
from EEPROM 423 to ECM key registers in descrambling unit 478. 

If the user is not entitled to access the tuned channel, 
entitlements must be received before key generation and 
1 0 descrambling can occur. Entitlements can be received via EMM. 
An "address" identifying a particular smart card is stored in EMM 
address unit 476 of the card when the card is issued. By including 
address information in EMM, a service provider can direct EMM to 
a particular card. The smart card compares the address 

1 5 information in EMM with the card address stored in unit 476 to 

detect EMM information directed to the card. If a user is not 
entitled, security controller 183 configures the card for EMM 
processing as shown in Figure 6 in case EMM data is received. 

As in the case of the ECM key, a card is issued with an 

2 0 EMM key stored in the card in EEPROM 423. In Figure 6, the EMM 

key is transferred from EEPROM 423 to EMM key registers in 
descrambling unit 478 by CPU 421. Scrambled EMM data from 
transport unit 120 in Figure 1 is input to the card via the high 
speed data-in port. After checking the EMM address in unit 476. 
EMM data intended for the card is decrypted in descrambling unit 
478. Decrypted EMM data is temporarily stored in RAM 426 and 
processed by CPU 421 to update entitlement data stored in 
EEPROM 423. 

After the PID values are loaded, entitlements exist, 
and the ECM key is in place in descrambler 185, the card is ready 
to descramble ECM data and generate the audio and video keys. 
In Figure 7. ECM data in the signal is received by smart card 180 
via the high speed data-in terminal and detected by transport 
decode unit 472. The ECM data is directed to descrambler 478 
where the previously loaded ECM key is used to decrypt the ECM 
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data. The decrypted ECM data is transferred from descrambler 
478 to RAM 424. When decrypted ECM data is available, CPU 421 
executes key generation algorithms stored in EEPROM 423 and 
ROM 425 using the decrypted ECM data in RAM 424 to generate 
5 the video and audio keys. The generated keys are transferred to 
the appropriate video and audio key registers in descrambler 478. 

As shown in Figure 7, descrambler 478 includes two 
key registers for video, video keys A and B, and two key registers 
for audio, audio keys A and B. Whether key A or B will be used to 
1 0 descramble a particular packet is determined by the key flag bit 
in the packet header (see Table 2 above). The "multi-key" feature 
is used to permit a new key to be generated while an existing key 
is being used to descramble data. Processing ECM data in security 
controller 183 to generate a new key and transferring the new 

1 5 key to a key register in descrambler 478 requires a significant 

number of instruction cycles in CPU 421. If descrambling was 
halted during the generation and transfer of a new key, the 
processing delay would require someone viewing a program to 
watch a scrambled image until the new key was in place in 

2 0 descrambler 478. Having key registers A and B permits data to 

be decrypted using a key in one key register, e.g., key register A. 
while a new key is being generated and loaded into the second 
key register, e.g.. key register B. After initiating key generation 
by transmitting ECM data, a service provider waits for a time 
2 5 period sufficient to ensure that new key B is generated and in 

descrambler 478 before encrypting packets using key B. The key 
flag notifies descrambler 185 when to begin using the new key. 

After the operations shown in Figures 5. 6, and 7, 
descrambler 478 has been initialized with all key information 
needed to process encrypted data in the tuned channel, including 
EMM, ECM, video and audio data. Figure 8 shows the signal flow 
for data processing. Encrypted data enters smart card 180 via the 
high speed serial data input terminal. The data is decrypted in 
descrambler 478 using the previously loaded keys. For example, 
if transport unit 472 determines from the header of an incoming 
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packet that the payload data is video data associated with video 
key A. the packet payload is decrypted in descrambler 478 using 
video key A. The decrypted data is output directly from smart 
card 180 via the high speed serial data output terminal. Note that 
5 data processing in Figure 8 does not require interaction between 
descrambling unit 185 and security control unit 183 allowing 
descrambler 478 to process data at the high data rate of the input 
signal. 

Key generation in security controller 183 combined 
10 with the descrambling features of descrambling unit 478 provides 
complete capability in smart card 180 for processing signals 
encrypted using a variety of algorithms including the data 
encryption standard (DES) algorithm and Rivest-Shamir- 
Adlemann (RSA) algorithms. By providing all access control 
15 related processing within smart card 180. security related data 

such as key data does not have to be transferred out of smart card 
180. As a result, security is improved significantly in comparison 
to systems using a descrambler external to the smart card. 

Although the use of descrambler 185 internal to smart 
2 0 card 180 is advantageous, an external descrambler such as 
descrambler 130 in Figure 1 may also be used. An external 
descrambler may be desirable for compatibility of the described 
smart card with existing pay-TV systems that generate the key in 
smart card 180 and transfer the key to descrambler 130. 

2 5 Alternatively, using both descrambler 185 and descrambler 130 

may be desirable. For example, security can be improved by 
encrypting a signal twice using two different keys. A twice- 
encrypted signal could be decrypted using the system shown in 
Figure 1 by: decrypting the signal once in descrambler 185 using 

3 0 the first key, transferring the partially decoded data to 

descrambler 130, and decrypting the signal a second time in 
descrambler 130 using the second key. The second key would be 
generated in smart card 180 and transferred to descrambler 130. 
For applications involving descrambler 130 (i.e. 
3 5 applications in which key data is transferred out of smart card 
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180), commands are provided for transferring the key data via 
the serial I/O interface between controller 160 and smart card 
180, For example, microcontroller 160 sends ECM data to the card 
in one command and requests the status of key generation with a 
5 status command. When the status data indicates that key 

generation is complete, another command requests the key data 
and the card responds by sending the key data to controller 160. 
Subsequently, the key is transferred to descrambler 130. 

Various modifications of the described embodiments 
1 0 are possible. For example, it will be readily apparent to one 
skilled in the art that the invention is applicable to signals and 
systems other than those described. For example, video systems 
and video signal protocols other than that depicted in Figure 3 
include the above-mentioned DSS® satellite system and high- 

1 5 definition television (HDTV). The described type of access control 

system is also applicable to signal processing systems such as 
cellular telephone systems in which processing entitlements may 
involve determining whether a user is entitled to access a cellular 
telephone system and, if so, processing a scrambled cellular 

2 0 telephone signal. 

Applications such as a cellular telephone system 
involve generating an outgoing signal in addition to processing an 
incoming signal. Generating an outgoing signal requires 
encryption. The described smart card can encrypt data if 
2 5 appropriate encryption software is stored in EEPROM and ROM in 
smart card 180. Thus, the invention is applicable to signal source 
applications such as telephone systems or "head-end" applications 
in cable TV systems. These and other modifications are intended 
to be within the scope of the following claims. 
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1. A smart card comprising: 

a first terminal for receiving an input signal including 
5 first and second signal components; 

a second terminal for providing an output signal; 

means for processing said first signal component for 
producing a first processed signal, and being responsive to said 
first processed signal for processing said second scrambled 

1 0 component for producing a second processed signal; and 

means for combining said first signal component of 
said input signal and said second processed signal to produce said 
output signal, 

15 2. The smart card of claim 1 wherein 

said means for combining said first signal component 
of said input signal and said second processed signal producing a 
predetermined timing relationship between said first signal 
component and said second processed signal in said output signal. 

20 

3, The smart card of claim 2 wherein said means 
for combining said first signal component of said input signal and 
said second processed signal comprising: 

means for delaying said first signal component to 

2 5 produce a delayed signal exhibiting substantially said 

predetermined timing relationship with respect to said second 
processed signal; and 

means for combining said delayed signal and said 
second processed signal to produce said output signal. 

30 
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4. The smart card of claim 3 wherein 
said input signal exhibiting an input timing 

relationship between said first signal component and said second 
signal component; and 

said predetermined timing relationship being 
substantially the same as said input timing relationship. 

5. The smart card of claim 4 wherein said first and 
second signal components of said input signal comprise respective 
first and second scrambled signal components and said first and 
second processed signals comprise respective first and second 
descrambled signals. 

6. The smart card of claim 5 wherein said means 
for delaying said first signal component of said input signal 
comprises a first-in-first-out memory device. 



7. The smart card of claim 6 further comprising 
means responsive to said first descrambled signal for producing 

2 0 control information; said means for producing said first and 
second descrambled signals being responsive to said control 
information for producing said second descrambled signal. 

8. The smart card of claim 7 wherein 

2 5 said means for producing said first and second 

descrambled signals, said means for producing said control 
information and said means for combining said first scrambled 
signal component and said second descrambled signal to produce 
said output signal being included in an IC mounted in said smart 

3 0 card; and 

said first and second terminals being positioned on a 
surface of said smart card. 
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9. The smart card of claim 8 further comprising a 
third terminal positioned on said surface of said smart card for 
receiving a timing signal; 

said means for producing said first and second 
5 descrambled signals being responsive to said timing signal for 
processing said input signal at a first data rate to produce said 
output signal at said first data rate. 



10. The smart card of claim 9 wherein said first data 
10 rate exceeds 10 mega-Hertz. 

1 1 . The smart card of claim 9 wherein said means 
for producing said control information processes said first 
descrambled signal at a second data rate for producing said 
1 5 control information. 



12, The smart card of claim 11 wherein said first 
data rate is greater than said second data rate. 

2 0 13. The smart card of claim 12 further comprising a 

frequency divider coupled to receive said timing signal for 
producing a clock signal at a frequency related to said second data 
rate; said means for producing said control information being 
responsive to said clock signal for producing said control 

2 5 information. 



14. The smart card of claim 5 wherein 

said first scrambled signal component comprises 
entitlement management information for a pay-for-access service; 
30 and 

said second scrambled signal component comprises 
data provided by said pay-for-access service. 

15. The smart card of claim 14 wherein said pay- 
3 5 for-access service comprises a pay-TV service; said entitlement 
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management information comprises television programming 
entitlement information; and said data provided by said pay-for- 
access-service comprises television program data. 

5 16. The smart card of claim 9 wherein said first, 

second and third terminals being included in a plurality of 
terminals arranged on said surface of said smart card in 
accordance with ISO standard 7816-2. 

10 17. The smart card of claim 16 wherein said smart 

card exhibits a mechanical characteristic in accordance with ISO 
standard 7816-1. 
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5 f rauduleuses . 

Les cartes a puces se divisent en plusieurs 
categories, a savoir : 

- les cartes a simple memoire, 

" les cartes a memoire dite carte intelligente, et 

10 - les cartes a microprocesseur- 

Une carte a simple memoire permet d'effectuer des 
operations de lecture et d'ecriture dans la zone de 
memoire morte electriquement eff arable de fa^on libre* 
Une telle carte est d'un faible cout mais elle ne 

15 presente pas une securite suffisante de sorte qu'elle 
est de moins en moins utilisee. 

Une carte a memoire intelligente ameliore notamment 
la securite des operations de lecture /ecriture en les 
autorisant seulement lorsque certaines conditions 

20 realisees sous forme cablee sont remplies, 

Une carte de la troisieme categorie contient un 
microprocesseur capable d*executer des programmes 
enregistres dans une memoire et d'effectuer ainsi des 
calculs avec des donnees secretes inaccessibles au 

25 monde exterieur a la carte. Ainsi, une cle enregistree 
dans la memoire peut servir a valider une transaction 
electronique telle qu ' un achat ou une ouverture de 
porte sans avoir a etre manipulee a I 'exterieur de la 
carte , 
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Malheureusement:, certains microprocesseurs 

presentent des consommations de courant qui dependent 
des calculs effectues a 1' inter ieur de la carte. Ainsi, 
un calcul cryptographique coinprenant une arborescence 
de calcul qui depend des chiffres de la cle utilisee 
aura differentes empreintes de consommation de courant 
selon la valeur de la cle utilisee. II en resulte qu'un 
fraudeur pourrait correler I'empreinte de consonanation 
de courant de la cle utilisee et ainsi rexnonter a la 
valeur de la cle. 

Pour empecher cette correlation, une contre-mesure 
courante consiste a programmer 1 ' algorithme 
cryptographique d*une maniere telle que quelle que soit 
la valeur de la cle, 1 • algorithme passera toujours les 
memes etapes de calcul. 

De nombreux algorithmes dits '»orientes octets" se 
prdtent bien a ce mode de programme mais d'autres 
posent quelques problemes techniques qui ne sont 
surmontables qu'au prix de performances calcuiatoires 
moins optimales. 

La presente invention a done pour but de mettre en 
oeuvre dans les cartes a microprocesseur des 
dispositifs pour masquer les operations effectuees tout 
en permettant au programmeur le libre-choix des regies 
de programmation, qu'elles soient du type "orientees 
octets" ou non. 

Ce but est atteint en modi fi ant ou brouillant la 
consommation de la carte de maniere que son empreinte 
soit independante des calculs effectues. 

Cette modification ou ce brouillage de I'empreinte 
peut etre obtenue en ajoutant dans la carte un 
dispositif qui modifie la consommation de courant. 

Dans un premier example de realisation, ce 
dispositif consomme de la puissance electrique de 
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maniere irreguliere ou aleatoire qui s'ajoute a celle 
de la consoinination normale. 

Dans un deuxieme exemple de realisation, ce 
dispositif realise une consommation moyenne en 
5 realisant, par exemple, une integration du courant 
consomme, 

Dans un troisieme exemple de realisation, ce 
dispositif declenche le circuit de prograimnation ou 
d'eff acement de la memoire du microprocesseur qui 

10 consomme de la puissance de maniere chaotique, 
puissance qui masque la consommation due aux operations 
effectuees par le microprocesseur pendant la 
programmation ou l*effaceTnent de la memoire. 

D*autres caracteristiques et avantages de la 

15 presente invention effectueront a la lecture de la 
description suivante d' examples particuliers de 
realisation, ladite description etant faite en relation 
avec les dessins joints dans lequels : 

la figure l est un schema fonctionnel d'un 

20 premier exemple de realisation de 1* invention, 

la figure 2 est un schema fonctionnel d'un 
deuxieme exemple de realisation de 1' invention, et 

- la figure 3 est un schema fonctionnel d'un 
troisieme exemple de realisation de 1* invention* 

25 Sur les figures qui montrent chacune 

schematiquement differents moyens pour realiser 
1' invention, la puce electronique 10 contenant le 
microprocesseur de la carte comprend une unite centrale 
12 et au moins une memoire 14, par exemple du type 

3 0 connu sous 1 ' acronyme anglo-saxon EEPROM FOR 
ELECTRICALLY ERASABLE PROGRAMMABLE READ ONLY MEMORY. 
Cette puce electronique presente plusieurs bornes 
d'entree et/ou de sortie 16^^ a 16g dont I'une d'entre 
elles referencee est connectee a un circuit 
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d* alimentation electrique 18 de tension V^^ tandis que 
celle referencee 16^ est connectee a la masse* 

Le circuit d • alimentation 18 alimente les 
differents elements de la puce electronique 10 avec un 
5 courant iQ^t notamment, la memoire 14 et !• unite 

centrale 12. Ce courant ^out ^^^^^ fonction des 

operations - effectuees par 1' unite centrale et la 
memoire et refletent done les calculs cryptographiques, 
ce qui pourrait permettre d'en determiner la cle, 
10 Pour que ce courant ^out reflete plus les 

operations effectuees, 1' invention propose de le 
modifier par un dispositif 20 ou 30, dispose dans la 
puce 10 et connecte, par exemple, sur la borne d* entree 
16^. 

15 L' invention propose de modifier le courant de deux 

manieres different es . Une premidre en f aisant en sorte 
que le dispositif 20 (figure 1) consomme du courant de 
maniere aleatoire ou tout au moins irreguliere, 
consommation supplementaire aleatoire qui s'ajoutant a 

2 0 la consommation normale de courant lin rend aleatoire 
la valeur Iq^-^* 

Lia deuxieme maniere cons is te a moyenner la valeur 
de I^j^/ ce qui ne permet pas de detecter les variations 
de Ij^j^ dues aux operations effectuees. 

25 Dans le premier cas, le dispositif 20 peut ^tre 

realise a I'aide de resistances 30, en fait des 
transistors, qui sont alimentees ou non selon les 
signaux aleatoires fournis par un generateur 28. Les 
courants circulant dans les resistances alimentees 

30 augmentent^ modifiant la valeur du courant total et 
masquant le courant du aux calculs cryptographiques . 

Dans le deuxieme cas, la moyenne du courant 1^^^^ est 
obtenue par un integrateur qui "lisse" les variations 
du courant I^.^ de maniere a les ef facer. 
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5 

Selon !• invention, plusieurs dispositifs 20 ou 30, 
references 20-j^ et 30^ peuvent etre connectes k 
differents endroits de la puce electronique, par 
exemple, sur le conducteur d ' alimentation de 1' unite 
5 centrale (reference 22) . En outre, ces dispositifs 20, 
2 0^, 3 0 et 3 0^^ peuvent etre connectes ou non selon que 
les operations doivent etre securisees ou non, les 
connexions s ' ef f ectueront sous la commande de signaux 
fournis par l*unite centrale 12 (traits discontinus) • 

10 L* invention propose une troisieme maniere de 

brouiller la valeur de l^^^ en effectuant des 
operations a securiser, telles que des calculs 
cryptographiques, pendant certaines phases des 
operations de programmation ou d ' ef f acement de la 

15 memoire 14 , ces operations etant sur la commande de 
1' unite centrale 12. 

Cette troisieme maniere repose sur 1 ' utilisation 
d'une memoire 14 de type EEPROM qui a la capacite 
d ' auto-ecr iture . 

20 Dans un mode habituel de f onctionnement , le 

microprocesseur met en marche un circuit de 
programmation 24 de la memoire 14 selon les etapes 
suivantes : 

1 - mise en marche de la pompe de charge, 

25 2 - presentation sur le bus de donnees de la 

derniere a ecrire, 

3 - presentation sur le bus d * adresse de 1 ' adresse 
ecriture, 

4 - mise en marche de la programmation , 
30 5 - attente d'un delai de programmation, 

6 - arret de la programmation, 

7 - arret de la pompe de charge. 

La programmation d ' une cellule EEPROM necessitant 
d'injecter des charges electriques dans la cellule 
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programmee, les etapes 4, 5 et 6 s ' accompagnent d*une 
sur-consommation de courant d * apparence chaotique qui 
depend essentiellement de la valeur de V^^^, de 
I'adresse, de la valeur programmee et de la temperature 
5 du composant. 

Afin de masquer l^empreinte de consommation de 
courant d^un calcul cryptographique par exemple, 
1' invention propose d'utiliser la consommation 
chaotique des etapes 4 , 5 et 6 en realisant le calcul 
10 cryptographique pendant 1 ' etape 5 d'une duree de 
quelques mill isecondes , 

Pour ce faire, le calcul cryptographique s*effectue 
selon les etapes suivantes : 

1 - mise en marche de la pompe de charge, 
15 2 - presentation sur le bus de donnees d'une donnee 

aleatoire, 

3 - presentation sur le bus d»adresse d'une adresse 
ecriture, 

4 - mise en marche de la programmation , 
20 5 - effectuer le calcul cryptographique, 

6 - arret de la programmation , 

7 - arret de la pompe a charge. 

Par ces etapes, I'empreinte de la consommation de 
courant due au calcul cryptographique de 1 • etape 5 est 
25 masquee par I'ecriture de la donnee aleatoire dans une 
partie determinee 2 6 de la memoire EEPROM reservee a 
cette fonction, 

Au lieu d'un calcul cryptographique, 1* etape 5 peut 
consister en toute operation a securiser vis-a-vis de 
3 0 l*exterieur. 

Par ailleurs, au lieu de faire ces operations a 
securiser lors d'une ecriture dans la memoire 14, elles 
peuvent etre faites lors a ' un effacement de la memoire 
14 . 
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REVENDICATIONS 



3 - Dispositif selon la revendicat i nn 1 ^:.^-,^+.- • . 

de resistances (20) dent batterla 
resistances est coLaL/^pL L;'s??L'4'\°f.atti„t ^^"'^ 

modifier la conso^mation de cSuJSt. ^' ^"^ .^"D POUr 

effectuer simuifcanLentT ' ^^^^ -°^"=te S 

dice's: S^Sig? j;^^-^-^ - d'efface^ent de la m6«oira ,14) 
- une operation du itiicroprocesseur . 

6 - Dispositif selon la xevendication 5 r»-r^^-hA-yA ^ - 
pour mettre en oeuvrs une opTtation d'^^ 
m^moire (14) comprend une partes fTfii H^^^^^^^^ 

mSdSiSjfon^L^^ "^^^^ "^te de chacun des Lyens d; 

moaitication de la consononation de coutant est cr^mn^^tJl 7 
microprocesaeur (12) de mani^^t-^ ^ 'rJt conmiahdee par le 

seulef operations fUcurlsS " "'^^ 

cryptographic^e .elcn lis ^.tape.^'sulvanteV ^^''^^^ 
~ mise en marche de la pompe de charge, 

: I- ii III ?a£--rd^;-\2™-: m^^^ 

- mise en marche de la prograiruuation, ^^^^^^e ecricur^, 

- effectuer le calcul cryptographlque, 
" arret de la progTammation, 

- arr§t de la pompe de charge, 

de mauiere d masquer I'empreinte r.^^^ l. 

ocasionnee par l\dit calcul cryptographli^^^ 
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suivantes: ^1 comporte les etapes 

- mise en laarche de la poinpe de chatae 

- mise en Marcha de la progr^^^^^^f ^^^^^^^ ^criture, 

arret de la pro^rammation, 
art§t de la pompe de charge. 
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